0

I am a beginner in php, and maybe the problem is so simple, but when i try to get the hash from my db, and let the password verify do all the work, its always give me false, even with the correct password. I tried to copy paste the hash from the db and put it inside the password verify, and it worked.

$sql="SELECT * FROM users WHERE username='$myusername'";
$result=mysqli_query($connection,$sql);

// Mysql_num_row is counting table row
$count=mysqli_num_rows($result);
// If result matched $myusername, table row must be 1 row
if($count==1){
//This must be the problematic place
    $hash = mysqli_query($connection,"SELECT jelszo FROM users WHERE username =='$myusername'");
    if(password_verify($myjelszo,$hash))
    {
// Register $myusername, $myjelszo and redirect to file "login_success.php"
$_SESSION['username']= "myusername";
$_SESSION['jelszo']= "myjelszo";
header("location:login_success.php");
    }
else {
echo "Wrong Username or Password";
}
Exyion
  • 1
  • Why can't you fetch all details from a single query – Rotimi Apr 22 '17 at 20:55
  • You are using the password hash function wrongly. Why don't you read the usage. In the function, pass the hashed password as first parameter and the input password as second parameter – Rotimi Apr 22 '17 at 20:56

2 Answers2

0

first of all, you should not pass variable directly to you query, but should use prepared statements (in this particualr case ):

$sql="SELECT * FROM users WHERE username='$myusername'";
$result=mysqli_query($connection,$sql);

should be something like:

$stmt= $connection->prepare("SELECT * FROM users WHERE username=?");
$stmt->bind_param("s", $myusername);
$stmt->execute();

Another problem i see In this query : 
$hash = mysqli_query($connection,"SELECT jelszo FROM users WHERE username =='$myusername'");

the double == should be a single one since this is an sql query:

$hash = mysqli_query($connection,"SELECT jelszo FROM users WHERE username ='$myusername'");

But again, it should be secured against injection by transforming it to a prepared statement (see previous example)

Next, i assume '$myjelszo' is your password stored in a varaible, do not sanitize the input in anyway. We had a discussion about it and test has been made, pleasse read carefully this thread about password security => https://stackoverflow.com/a/36628423/4950530

Community
  • 1
  • 1
Louis Loudog Trottier
  • 1,367
  • 13
  • 26
0

Sometimes the password verify isn't working in most versions of PHP.

Try using this instead:

if ($myjelszo != $hash) {
  $_SESSION['username']= "myusername";
  $_SESSION['jelszo']= "myjelszo";
  header("location:login_success.php");
} else {
  echo "Wrong Username or Password";
}
Malekai
  • 4,765
  • 5
  • 25
  • 60
chamila
  • 47
  • 1
  • 7